Daily Brief

Italy's data protection authority alleges privacy violations by OpenAI's ChatGPT under the EU GDPR. An investigation into ChatGPT's handling of personal data was launched after a temporary ban on the service. OpenAI has implemented privacy controls and reinstated access to ChatGPT but now has 30 days to respond to new findings. The concerns involve ChatGPT collecting personal data without proper consent and potential exposure of sensitive information. Separate but related, Google's Bard chatbot bug led to private conversations being indexed and exposed via Google search. Amidst privacy debates, Apple opposes the U.K.'s proposed law that it believes could undermine global user privacy and security. The webinar on SaaS security masterclass provides insights from a study of 493 companies, emphasizing important security practices.

The outgoing UK biometrics and surveillance commissioner, Dr Fraser Sampson, highlights serious governance issues in the Home Office in his final report. Sampson's tenure experienced challenges with limited engagement from Whitehall and insufficient resources to perform his duties effectively. The upcoming Data Protection and Digital Information (DPDI) Bill will dissolve the commissioner's role, transferring responsibilities to the Investigatory Powers Commissioner's Office (IPCO) with less oversight on biometrics. Technical problems within systems that manage National Security Determinations (NSDs) for biometric data retention have led to inaccuracies and inability to perform mandated duties. Ethical concerns are raised regarding the procurement and testing of surveillance technology within UK police forces, particularly the use of potentially compromised Chinese technology. Sampson moves to the private sector, continuing his work in biometric governance as a director at a retail face biometrics company, Facewatch. Tony Eastaugh is appointed as the new commissioner, tasked with transitioning powers to the IPCO, amid concerns over the future of UK biometrics and surveillance governance.

Security researchers have detected a revived campaign deploying a new variant of the ZLoader malware with upgraded features and 64-bit Windows compatibility. This resurgence comes nearly two years after a coordinated disruption effort led by Microsoft in April 2022 effectively dismantled the botnet responsible for the malware's distribution. The updated ZLoader now includes RSA encryption and a refined domain generation algorithm to aid in evading detection and analysis. The malware, which originated from the Zeus banking trojan, typically spreads through phishing and malvertising, and serves as a loader for other malicious payloads. The latest versions of ZLoader demonstrate advanced tactics to avoid analysis, including inserting junk code, employing string obfuscation, and requiring specific filenames to execute. Despite the disruption of its infrastructure in 2022, researchers anticipate that ZLoader's comeback could precipitate new ransomware attacks due to the persistence of the threat group behind it. Microsoft has taken steps to mitigate the threat by disabling the MSIX protocol handler by default since it had been increasingly exploited to spread malware, including ZLoader, since July 2023. The return of ZLoader is part of a broader trend of new malware variants emerging, like Rage Stealer and Monster Stealer, that are also used to pilfer information and launch further attacks.

Juniper Networks has issued out-of-band updates for high-severity vulnerabilities in its SRX and EX Series products. The flaws, identified as CVE-2024-21619 and CVE-2024-21620, could allow attackers to gain control over affected systems. Security firm watchTowr Labs identified and reported these critical issues. Users are advised to either disable the J-Web component or restrict access to it as immediate mitigation steps. The CVE-2023-36846 and CVE-2023-36851 vulnerabilities, disclosed in August and known to be exploited in the wild, are also covered in the KEV catalog by CISA. Juniper Networks previously addressed another critical vulnerability (CVE-2024-21591) that potentially allowed DoS attacks and remote code execution. A related SaaS Security Masterclass webinar provides insights into SaaS security practices based on the study of 493 companies.

Keenan & Associates notifies 1.5 million individuals of a data breach following a cyberattack in summer 2023. Personal information of customers and employees accessed by unauthorized parties between August 21 and August 27. The breach potentially exposes names, Social Security numbers, financial information, and health insurance details. Breach subjects affected individuals to risks of identity theft, financial fraud, and phishing scams. Following the breach, Keenan has taken measures to bolster its network and systems security. Affected parties are provided complimentary identity theft protection services and advised to monitor their accounts for irregularities.

A critical remote code execution flaw, CVE-2023-23897, affects approximately 45,000 online Jenkins automation servers. Multiple public proof-of-concept exploits for the CVE-2023-23897 vulnerability are circulating, placing unpatched systems at high risk. The flaw emerges from a CLI feature that swaps an "@" character followed by a file path with the file's content, potentially exposing sensitive information. Attackers could leverage this flaw to decrypt stored secrets, alter Jenkins server contents, or bypass CSRF protection, depending on permissions and configurations. Security updates 2.442 and LTS 2.426.3 were released by the Jenkins project on January 24, 2024, to address this security issue. Most exposed Jenkins instances are located in China and the United States, with Germany, India, France, and the UK also hosting numerous vulnerable systems. Threat monitoring has detected active scans targeting unpatched Jenkins servers, suggesting imminent exploitation is likely. Jenkins users are being urged to apply security updates or consult the official security bulletin for mitigation strategies if immediate updates are not feasible.

SolarWinds is contesting the SEC's lawsuit, claiming unjust victim blaming after its software was compromised by Russian state-sponsored hackers. The SEC accuses SolarWinds and its CISO of misleading investors about the company's cybersecurity practices since October 2018. SolarWinds' legal representation argues that the firm adequately disclosed risks and fulfilled its obligations to notify about security vulnerabilities. Approximately 18,000 organizations were affected by the Orion software backdoor, but the SEC's lawsuit focuses on alleged misleading investor communications. SolarWinds emphasizes that disclosing detailed cybersecurity weaknesses can be detrimental by giving attackers a potential roadmap to exploit. Legal documents assert that CISO Tim Brown, also targeted by the SEC, did not mislead investors and performed his role competently during the crisis. The SEC has not made a public response to the challenges raised by SolarWinds against the lawsuit.

Schneider Electric's Sustainability Business division was hit by the Cactus ransomware, resulting in the theft of corporate data. The attack occurred on January 17th, causing disruptions and ongoing outages in the Resource Advisor cloud platform. The ransomware gang has stolen terabytes of data and is threatening to leak it unless a ransom is paid. Customers of the affected division include major corporations, which may have had sensitive data regarding power utilization and regulatory compliance compromised. Schneider Electric has acknowledged the attack and is undertaking remediation and recovery efforts, with ongoing forensic analysis and discussions with affected customers. The company asserts that the attack was confined to the Sustainability Business division, with no other parts of the company impacted. This isn't the first cybersecurity challenge for Schneider Electric; they were previously impacted by the Clop ransomware's MOVEit data theft attacks.

The FBI has issued a warning about scammers employing courier services to collect money and valuables from victims of tech support and government impersonation scams. Criminals are instructing mostly senior victims to liquidate assets into cash or buy precious metals for "protection," only to have couriers pick them up. Scammers often pose as tech support, financial institutions, or government officials, claiming the victim's financial accounts are compromised. Victims are coerced into sending cash, converting assets into precious metals, or wiring funds to dealers, who are part of the scam. In-person pickups are arranged by scammers, who give victims a passcode to "authenticate" the fraudulent transactions with the courier. The FBI reports an uptick in this fraudulent activity, with losses over $55 million from May to December 2023. To combat these scams, the FBI advises against sending gold or valuables in response to phone requests and stresses the importance of not meeting with strangers or disclosing personal details. Victims should promptly report cases to the FBI with detailed information on the scammers.

Ransomware payment rates have decreased to a record low at 29% in Q4 of 2023, as reported by Coveware. The decline in payment rates is attributed to better organizational preparedness, distrust in cybercriminals' promises, and legal restrictions in some regions. Despite data theft in cyberattacks, only 26% made payments in the last quarter of 2023. Average ransom payments have decreased by 33% to $568,705, with the median payment at $200,000 in Q4 2023. The median size of organizations targeted by ransomware has decreased as cybercriminals adjust their strategies. Discussions on the impact of potential ransom payment bans suggest that such policies could drive the issue underground and hinder progress in victim and law enforcement cooperation. Coveware advises doubling down on existing measures to continue making ransomware less profitable for criminals. Even as ransomware remains a significant threat, the declining payment trend reflects progress in the fight against cybercrime.

Three former employees of the Department of Homeland Security (DHS) have been sentenced for stealing government software and the personal data of 200,000 federal employees. The individuals include a former Acting Inspector General and two members of the IT staff, with sentences ranging from probation to 1.5 years in prison. The theft encompassed government property and the intent to defraud the United States, with illegal activities occurring between 2019 and 2022. The stolen data and software were given to software developers in India with the intent to create and sell a similar commercial product to government agencies. Among the stolen databases was one with personally identifiable information (PII) of DHS-OIG and USPS-OIG employees. At least one of the individuals attempted to delete evidence linked to the scheme when learning about the investigation, further obstructing justice. The status of the Indian developers and the securement of the stolen data remains uncertain, and actions to recover or secure the data may be too late.

A serious vulnerability was discovered in Microsoft Outlook potentially allowing attackers to access hashed NTLM v2 passwords. Tracked as CVE-2023-35636 with a CVSS score of 6.5, Microsoft issued a patch in December 2023 as part of its Patch Tuesday updates. Attack vectors included phishing emails or web-based attacks where victims would be tricked into opening a malicious file. The NTLM hash leakage was possible via the calendar-sharing function in Outlook through inserting specific headers in an email. While patches addressed the main vulnerability, related risks using Windows Performance Analyzer and Windows File Explorer haven't been patched. Researchers highlighted the flaws of NTLM authentication and Microsoft's move to phase it out in Windows 11 for the safer Kerberos protocol. Enhanced security practices and awareness are crucial to avoid falling victim to such exploitation techniques.

97% of companies are exposed to severe risks due to unsecured SaaS applications. 20% of these organizations are battling internal data threats. The upcoming webinar by Wing Security COO, Ran Senderovitz, will offer in-depth insights into SaaS security challenges. The event promises a comprehensive analysis of data from 493 companies, identifying statistics and trends in SaaS security. Attendees will receive actionable tips for immediate implementation to enhance their organization's security posture. The webinar will provide a forecast of SaaS security threats expected in 2024 and strategies to combat them. IT and security professionals will gain valuable knowledge and tools to proactively defend against SaaS-related threats. The session aims to transform SaaS security challenges into opportunities for strengthening organizational defenses.

AI has become critical in cybersecurity, offering advanced features from spam filtering to predictive analytics and AI-assisted responses. The democratization of AI technology presents a significant challenge, arming attackers with sophisticated means to launch advanced cyber threats. Early 2000s malware like ILOVEYOU and the Zeus banking trojan highlighted the need for evolving security solutions. The second wave (2010–2020) saw an increasingly dynamic IT landscape with cloud computing and SaaS, coupled with an uptick in sophisticated cyber threats. AI-based cybersecurity tools, such as those pioneered by Cylance, have been instrumental in outpacing increasingly sophisticated malware and attacks. The third wave (2020-present) showcases a profound shift where AI is also being used by adversaries, necessitating an informed and well-equipped defense strategy. As cyber threats continue to grow in both scale and sophistication, the dual use of AI demands continuous innovation and vigilance in cybersecurity practices.

Fortinet FortiGuard Labs identified the Faust variant of Phobos ransomware using an Excel document to deliver malware. The new ransomware, including Albabat and Kuiper, leverage advanced programming languages Rust and Golang to avoid common code issues and enhance cross-platform capabilities. Faust ransomware doesn't specifically target industries or regions and uses multiple threads for its file encryption attack, making it more resilient and efficient. Kuiper ransomware, linked to threat actor RobinHood, was advertised on underground forums and developed to target multiple operating systems. NONAME ransomware imitates the data leak site of the known LockBit group, suggesting potential connections or shared strategies. The links among the Royal/BlackSuit ransomware, the 3 AM ransomware, and the remnants of the Conti cybercrime group indicate shared tactics and infrastructures. Ransomware attacks continue to exploit common remote access tools like TeamViewer and misuse legitimate-looking documents, such as resumes in Word format, to execute attacks.